A new phishing kit named “Xiū gǒu” has been discovered by cybersecurity researchers at Netcraft, targeting users in several countries, including the UK, US, Spain, Australia, and Japan. This malicious kit has been actively infiltrating public, postal, and banking sectors since September 2024, posing a significant threat to both individuals and organizations.
The unique feature of the Xiū gǒu phishing kit lies in its branding and interactive elements, making it stand out among other phishing tools. With over 2,000 phishing websites identified, the kit has been found to mimic legitimate services to trick users into providing sensitive information, such as personal and payment details.
Named after the Mandarin Chinese internet slang “xiū gǒu,” meaning “doggo,” the phishing kit is designed to target scams related to motorists, government payments, and postal services. The kit’s admin panel and associated Telegram account feature a cartoon dog mascot holding a soda bottle, adding an entertaining twist to its otherwise malicious intentions.
Technical analysis revealed that Xiū gǒu utilizes Vue.js for its front end and Golang through the SynPhishServer executable for its back end, creating a more active and harder-to-detect phishing infrastructure. The kit has been deployed across more than 1,500 IP addresses and phishing domains, with a particular focus on sectors such as the public sector, postal services, digital services, and banking.
The attackers behind Xiū gǒu leverage Cloudflare’s anti-bot and hosting obfuscation capabilities to evade detection, often using domains with the “.top” top-level domain (TLD) and incorporating relevant keywords related to their scams. Victims are typically targeted through Rich Communications Services (RCS) messages containing shortened links that redirect them to phishing websites imitating legitimate platforms.
Once users enter their personal and payment details on these fake sites, the information is exfiltrated to a Telegram bot set up by the fraudsters, posing a severe risk to the victims’ sensitive data. The Xiū gǒu phishing kit remains an ongoing threat in a global campaign targeting both businesses and individuals.
Netcraft’s research sheds light on the authors behind the phishing kit, highlighting their use of specific scripting languages, user tutorials, and a distinctive personality injected into their malicious tools. The kit’s authors are actively measuring and analyzing its use to optimize and improve their competitiveness over time.
To protect against falling victim to the Xiū gǒu phishing kit, users are advised to verify links before clicking, be cautious with personal information, enable Multi-Factor Authentication (MFA), use anti-phishing software, and educate themselves on common phishing tactics to identify threats before they escalate.
In conclusion, the Xiū gǒu phishing kit represents a sophisticated and pervasive threat to users across multiple sectors and countries, emphasizing the importance of staying vigilant and adopting proactive security measures to safeguard against cyber threats.